<!doctype html>
<html lang=en>
<meta charset=utf-8>

<title>OpenSSH: Legacy Options</title>
<meta name="description" content="OpenSSH legacy support">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="https://www.openssh.com/legacy.html">
<link rel="stylesheet" type="text/css" href="openbsd.css">

<h2 id=OpenBSD>
<a href="/">
<i>Open</i><b>SSH</b></a>
Legacy Options
</h2>
<hr>

<p>
OpenSSH implements all of the cryptographic algorithms needed for
compatibility with standards-compliant SSH implementations, but since
some of the older algorithms have been found to be weak, not all of them
are enabled by default. This page describes what to do when OpenSSH refuses
to connect with an implementation that only supports legacy algorithms.

<p>
When a SSH client connects to a server, each side offers lists of connection
parameters to the other. These are, with the corresponding
<a href="https://man.openbsd.org/ssh_config.5">ssh_config</a> keyword:

<ul>
<li><code>KexAlgorithms</code>: the key exchange methods that are used to generate
per-connection keys
<li><code>Ciphers</code>: the ciphers to encrypt the connection
<li><code>MACs</code>: the message authentication codes used to detect traffic
modification
<li><code>PubkeyAcceptedKeyTypes</code>: the public key algorithms that the server
can use to authenticate itself to the client
</ul>

<p>
For a successful connection, there must be at least one
mutually-supported choice for each parameter.

<p>
If the client and server are unable to agree on a mutual set of parameters
then the connection will fail.  OpenSSH (7.0 and greater) will produce an
error message like this:

<pre>
Unable to negotiate with legacyhost: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1
</pre>

<p>
In this case, the client and server were unable to agree on the key
exchange algorithm. The server offered only a single method
<code>diffie-hellman-group1-sha1</code>. OpenSSH supports this method,
but does not enable it by default because is weak and within theoretical
range of the so-called Logjam attack.

<p>
The best resolution for these failures is to upgrade the software at
the other end. OpenSSH only disables algorithms that we actively
recommend against using because they are known to be weak. In
some cases, this might not be immediately possible so you may need to
temporarily re-enable the weak algorithms to retain access.

<p>
For the case of the above error message, OpenSSH can be configured to enable
the <code>diffie-hellman-group1-sha1</code>
key exchange algorithm (or any other that is disabled by default) using
the <code>KexAlgorithms</code> option - either on the command-line:

<pre class="cmdbox">
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
</pre>

<p>
or in the <code>~/.ssh/config</code> file:

<pre class="cmdbox">
Host somehost.example.org
	KexAlgorithms +diffie-hellman-group1-sha1
</pre>

<p>
The '+' before the list instructs ssh to <strong>append</strong>
the algorithm to the client's default set rather than replacing the
default. By appending, you will automatically upgrade to the best
supported algorithm when the server starts supporting it.

<p>
Another example, this time where the client and server fail to agree on
a public key algorithm for host authentication:

<pre class="cmdbox">
Unable to negotiate with legacyhost: no matching host key type found. Their offer: ssh-dss
</pre>

<p>
OpenSSH 7.0 and greater similarly disable the <code>ssh-dss</code> (DSA)
public key algorithm. It too is weak and we recommend against its use.
It can be re-enabled using the <code>HostKeyAlgorithms</code> configuration
option:

<pre class="cmdbox">
ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost
</pre>

<p>
or in the <code>~/.ssh/config</code> file:

<pre class="cmdbox">
Host somehost.example.org
	HostKeyAlgorithms +ssh-dss
</pre>

<p>
Depending on the server configuration, it's possible for other connection
parameters to fail to negotiate. You might find the <code>Ciphers</code> and/or
<code>MACs</code> configuration options useful for enabling these. It's
also possible to query which algorithms ssh supports:

<pre class="cmdbox">
ssh -Q cipher       # List supported ciphers
ssh -Q mac          # List supported MACs
ssh -Q key          # List supported public key types
ssh -Q kex          # List supported key exchange algorithms
</pre>

<p>
Finally, it's also possible to query the configuration that ssh is actually
using when attempting to connect to a specific host, by using the <code>-G</code>
option:

<pre class="cmdbox">
ssh -G user@somehost.example.com
</pre>

<p>
which will list all the configuration options, including the chosen values for
the <code>Ciphers</code>, <code>MACs</code>, <code>HostKeyAlgorithms</code> and
<code>KexAlgorithms</code> parameters.
